Here we go: https://www.bleepingcomputer.com/news/security/red-hat-warns-of-backdoor-in-xz-tools-used-by-most-linux-distros/

As I said, the impact here will be very limited due to how quick it was caught. Everybody owes the finder a beer.

Back in 2022 a host of characters appeared and basically bullied the creator of the XZ project to hand it over to somebody else - at the time the guy cited mental health issues around not updating the project quickly.

At the time he was already talking about maybe handing over to the account who years later introduced the backdoor.

In mid 2023 said account introduced a change to Google’s OSS Fuzzer to weaken detection for XZ.

Somebody played a years long game of Jenga and lost.

Before everybody high fives each other, this is how the backdoor was found: somebody happened to look at why CPU usage had increased in sshd, and did all the research and notification work themselves. By this point the backdoor had been there for a month unnoticed.

I’ve made the joke before that if GCHQ aren’t introducing backdoors and vulns in open source that I want a tax refund. It wasn’t a joke. And it won’t be just be GCHQ.

https://mastodon.social/@AndresFreundTec/112180406142695845

Another two thoughts on XZ -

- sshd itself has no dependency on the XZ utils library. The streams got crossed in a way I don’t think anybody understood (except the threat actor).

- had that backdoor been performant with sshd, I don’t think anybody would have spotted it.

The way this played out opens a window of opportunity to go back and look at both issues.

Really good timeline of what is known to have happened so far. It looks like the rogue developer deliberately introduced a vulnerability in other package, too - I haven’t seen anybody else mention this.

Reading the dev’s GitHub history, they’ve been making changes to other open source projects too around compression. It also appears they/somebody involved has other accounts, too.

https://boehs.org/node/everything-i-know-about-the-xz-backdoor

How far the rabbit hole goes - back in 2021 they deliberately introduced a risky change in the compression library libarchive. Nobody noticed. This is shipped in a ton of systems:
https://github.com/libarchive/libarchive/pull/1609

Whoever the threat actor is knows what they are doing as they’ve gone after chained dependencies around compression.

If anybody thinks this kind of thing is unique, it isn’t.

Example - CVE-2021-44529 in Ivanti Endpoint Manager. The cause?

Backdoor in open source code, was there for 7 years.

https://borncity.com/win/2024/02/22/ivanti-endpoint-manager-vulnerability-cve-2021-44529-code-injection-or-backdoor/

XZ Embedded Linux kernel module for IoT devices, 10 days ago had a change submitted to add Jia Tan (backdoor author) as a maintainer.

https://lore.kernel.org/lkml/202403201[email protected]/

Linux kernel documentation: https://docs.kernel.org/staging/xz.html

The GitHub repository for XZ Embedded kernel module has also been disabled: https://github.com/tukaani-project/xz-embedded/